[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[exelist] Re: new ASPack

To: exelist@egroups.com
Subject: [exelist] Re: new ASPack
From: mr_stranger@...
Date: Fri, 30 Apr 1999 08:55:53 -0000
Delivered-to: listsaver-of-exelist@egroups.com
Delivered-to: listsaver-egroups-exelist@egroups.com
In-reply-to: <3.0.6.32.19990430005715.007bc160@...>
Mailing-list: contact exelist-owner@egroups.com
Reply-to: exelist@egroups.com

> Such "new" Aspack has some tricks that make unpacking "a little" different
> (not harder).
> In any case,  the last step (assembly instruction) of the loader is always
> at <Loader_RVA + 8F> .  Put a breakpoint on it (the loader is usually the
> .adata object) and read EAX register.  Such value will be the original
> EntryPoint.  
> 
> Use Procdump in order to Full Dump the running process (set Options to
> "Rebuild New Import Table").  Then use any hex editor (or better, the
> built-in ProcDump Pe Editor) to change the Entry_Point_Rva.
> 
> btw...the Ieye file original EntryPointRva is 22960h ;)

Thanks!!! It orks!


------------------------------------------------------------------------
eGroup home: http://www.eGroups.com/group/exelist
http://www.eGroups.com - Simplifying group communications

References:
- [exelist] Re: new ASPack
  - From: "Rafael R. H. d'El-Rey" <delrey@...>

Prev by Date: [exelist] R!SC's Process Patcher Engine
Next by Date: [exelist] Delete me!
Previous by thread: [exelist] Re: new ASPack
Next by thread: [exelist] R!SC's Process Patcher Engine
Index(es):
- Date
- Thread